Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/ckeditor4-dev@4.14.1

Type npm

Namespace

Name ckeditor4-dev

Version 4.14.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-c8r2-wpf3-47f9

vulnerability_id VCID-c8r2-wpf3-47f9

summary

CKEditor 4 ReDoS Vulnerability
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-26271

reference_id

reference_type

scores

value	0.00617
scoring_system	epss
scoring_elements	0.69867
published_at	2026-04-01T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69964
published_at	2026-04-21T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69982
published_at	2026-04-18T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69972
published_at	2026-04-16T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69929
published_at	2026-04-13T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69943
published_at	2026-04-12T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69959
published_at	2026-04-11T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69935
published_at	2026-04-09T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69919
published_at	2026-04-08T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69871
published_at	2026-04-07T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69894
published_at	2026-04-04T12:55:00Z

value	0.00617
scoring_system	epss
scoring_elements	0.69879
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-26271

reference_url	https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first
reference_id
reference_type
scores
url	https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26271
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26271

reference_url

https://github.com/ckeditor/ckeditor4

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/ckeditor/ckeditor4

reference_url

https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-26271

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-26271

reference_url

https://web.archive.org/web/20210128132707/https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20210128132707/https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first

reference_url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982587
reference_id	982587
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982587

reference_url

https://github.com/advisories/GHSA-jv4c-7jqq-m34x

reference_id

GHSA-jv4c-7jqq-m34x

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jv4c-7jqq-m34x

fixed_packages

url pkg:npm/ckeditor4-dev@4.16.0

purl pkg:npm/ckeditor4-dev@4.16.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-uw7w-utew-ufb2

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ckeditor4-dev@4.16.0

aliases CVE-2021-26271, GHSA-jv4c-7jqq-m34x

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c8r2-wpf3-47f9

url VCID-uw7w-utew-ufb2

vulnerability_id VCID-uw7w-utew-ufb2

summary

Code Snippet GeSHi plugin in CKEditor 4 has reflected cross-site scripting (XSS) vulnerability
### Affected packages
The vulnerability has been discovered in [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. All integrators that use [GeSHi syntax highlighter](https://github.com/GeSHi/geshi-1.0) on the backend side can be affected.

### Impact
A potential vulnerability has been discovered in CKEditor 4 [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the [GeSHi syntax highlighter library](https://github.com/GeSHi/geshi-1.0) hosted by the victim.

The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server.

### Patches

The [GeSHi library](https://github.com/GeSHi/geshi-1.0) is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software.

To integrators who still want to use the GeSHi syntax highlighter, we recommend manually adding the [GeSHi library](https://github.com/GeSHi/geshi-1.0) . Please be aware of and understand the potential security vulnerabilities associated with its use.

The fix is be available in version 4.25.0-lts.

### Acknowledgements

The CKEditor 4 team would like to thank [Jiasheng He](https://github.com/Hebing123) from Qihoo 360 for recognizing and reporting this vulnerability.

### For more information

Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-43407

reference_id

reference_type

scores

value	0.01851
scoring_system	epss
scoring_elements	0.82953
published_at	2026-04-02T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.83041
published_at	2026-04-21T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.83039
published_at	2026-04-18T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.83
published_at	2026-04-13T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.83004
published_at	2026-04-12T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.8301
published_at	2026-04-11T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.82995
published_at	2026-04-09T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.82987
published_at	2026-04-08T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.82962
published_at	2026-04-07T12:55:00Z

value	0.01851
scoring_system	epss
scoring_elements	0.82965
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-43407

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43407
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43407

reference_url

https://github.com/ckeditor/ckeditor4

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/ckeditor/ckeditor4

reference_url

https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T19:12:17Z/

url

https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94

reference_url

https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T19:12:17Z/

url

https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa

reference_url

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T19:12:17Z/

url

https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-43407

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-43407

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083192
reference_id	1083192
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083192

reference_url

https://github.com/advisories/GHSA-7r32-vfj5-c2jv

reference_id

GHSA-7r32-vfj5-c2jv

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7r32-vfj5-c2jv

fixed_packages

url	pkg:npm/ckeditor4-dev@4.25.0-lts
purl	pkg:npm/ckeditor4-dev@4.25.0-lts
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/ckeditor4-dev@4.25.0-lts

aliases CVE-2024-43407, GHSA-7r32-vfj5-c2jv

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uw7w-utew-ufb2

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ckeditor4-dev@4.14.1

Package Instance